GA4 Connector
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The authorized account's GA4 data can be read by this connector, and anyone who can access the local token file may be able to reuse that access.
The script obtains Google OAuth authorization with a read-only Analytics scope and stores the resulting token locally for reuse.
SCOPES = ["https://www.googleapis.com/auth/analytics.readonly"] ... DEFAULT_TOKEN_FILE = CONFIG_DIR / "ga4-token.json" ... token_path.write_text(creds.to_json())
Authorize only the correct Google account, keep ~/.config/openclaw private, and delete or revoke ga4-token.json when you no longer want the connector to have access.
Dependency updates or package-source issues could affect the local setup or behavior over time.
The installer pulls unpinned Python packages into the user's environment; this is expected for the connector but depends on current package-source resolution.
python3 -m pip install --user google-analytics-data google-auth-oauthlib google-auth-httplib2
Run the installer only from the reviewed skill directory, and consider a virtual environment or pinned dependency versions for sensitive environments.
The local shell configuration is changed so future terminals inherit the GA4 property ID.
The setup script executes embedded Python to edit the user's shell startup file, creating a persistent GA4_PROPERTY_ID setting.
python3 - <<PY ... text += 'export GA4_PROPERTY_ID="$PROPERTY_ID"\\n' ... rc.write_text(text)
Run setup intentionally, use a normal numeric GA4 property ID, and inspect or remove the added line from ~/.bashrc or ~/.zshrc if needed.